A critical remote code execution (RCE) flaw, CVE-2026-45247, affecting the Mirasvit Cache Warmer extension for Magento, was added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on June 4, 2026. CISA mandated federal agencies patch this deserialization vulnerability by June 19, 2026. The flaw carries a CVSS score of 9.8 and allows unauthenticated attackers to execute arbitrary PHP code by sending a crafted cookie. It is actively exploited in the wild, making immediate remediation critical for any organization running Magento with the vulnerable extension. Patch it now; the window for federal agencies is tight, and attackers are not waiting.
What Happened
On June 4, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive, adding CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) Catalog. This action immediately triggered a remediation mandate for all Federal Civilian Executive Branch (FCEB) agencies, requiring them to patch the vulnerability by June 19, 2026. The flaw itself is a critical remote code execution (RCE) vulnerability found within the Mirasvit Cache Warmer, a widely deployed full-page cache extension used on Magento e-commerce platforms. Sansec, a Dutch security firm, provided confirmed details on the exploitability of this PHP object injection flaw, noting its active exploitation in the wild.
Attackers are exploiting CVE-2026-45247 through a deserialization of untrusted data issue. Specifically, a specially crafted CacheWarmer cookie, sent within any storefront request, is deserialized by PHP's unserialize() function without requiring any prior authentication or administrator privileges. This enables attackers to manipulate the objects PHP reconstructs, leading directly to arbitrary PHP code execution on the server. The high CVSS score of 9.8 reflects the severity, confirming that successful exploitation grants full control over the affected server, potentially exposing sensitive corporate and customer data. No specific malware family or explicit Indicators of Compromise (IOCs) beyond the exploit mechanism itself have been publicly associated with the exploitation of this CVE.
Why It Matters
This is a critical RCE in a widely used e-commerce platform extension that CISA has confirmed as actively exploited, as indicated by its KEV listing. A CVSS score of 9.8 signifies maximum severity, indicating that an unauthenticated attacker can achieve full system compromise with minimal effort. For any organization running Magento with the Mirasvit Cache Warmer, this vulnerability directly translates to a significant risk of data breaches, website defacement, or complete server takeover. Arbitrary code execution means attackers can install backdoors, exfiltrate customer databases, pivot to other internal systems, or even deploy ransomware.
The mandated June 19, 2026, deadline for federal agencies underscores the immediate and widespread danger. While the directive applies to FCEB entities, the active exploitation noted by CISA suggests private sector organizations are equally, if not more, at risk. The Mirasvit Cache Warmer's popularity means a broad attack surface across thousands of e-commerce sites. Deserialization vulnerabilities are a persistent and often easily exploited class of flaws; this one is no different. Patch it now.
Affected Scope & Remediation
The primary affected scope for CVE-2026-45247 encompasses any Magento e-commerce platform currently utilizing the Mirasvit Cache Warmer extension. Given the extension's popularity, this represents a significant number of online stores globally. The exploit requires no authentication, making publicly accessible Magento instances prime targets.
Remediation is straightforward: update the Mirasvit Cache Warmer extension immediately. While specific affected and fixed version numbers for the Mirasvit Cache Warmer extension were not detailed in the immediate CISA advisory, Mirasvit usually releases security updates promptly. Consult the official Mirasvit documentation or your Magento administrator panel for the latest version available.
Here's a breakdown of the relevant information:
| Metric | Value | Source |
|---|---|---|
| Affected Product | Mirasvit Cache Warmer for Magento | NVD |
| Vulnerability Type | Deserialization of Untrusted Data / RCE | NVD |
| Exploit Status | Actively Exploited | CISA KEV Catalog |
| CISA KEV Added | June 4, 2026 | CISA KEV Catalog |
| FCEB Remediation Deadline | June 19, 2026 (15 days from KEV listing) | CISA KEV Catalog |
As of the KEV listing, the remediation timeline is extremely condensed for federal agencies, highlighting the urgency. The advisory came on June 4, 2026, with a deadline of June 19, 2026 – a mere 15-day window. If a patch is not immediately available, disabling the Mirasvit Cache Warmer extension is a critical temporary mitigation. However, this will impact site performance, so it should only be a stopgap measure until the official patch can be applied. Monitor your logs for suspicious requests to Magento endpoints, especially those involving cookies, which can be challenging to detect without advanced kernel-level telemetry tools for endpoint detection, or Cloudflare Zero Trust for network traffic analysis. CISA's inclusion in the KEV catalog means you must patch this. This directly relates to the NIST SP 800-53 control SI-2 Flaw Remediation, mandating timely correction of system flaws.
Technical Breakdown
The core of CVE-2026-45247 lies in a classic deserialization of untrusted data vulnerability, specifically within the Mirasvit Cache Warmer's handling of the CacheWarmer cookie. PHP's unserialize() function is notoriously dangerous when processing data not rigorously validated or sanitized. In this case, an attacker crafts a malicious PHP object payload, serializes it, and then injects it into the CacheWarmer cookie. When the Magento application processes any storefront request, the Mirasvit extension picks up this cookie, trusts its content, and attempts to unserialize() it.
Think of it like this: You give someone a detailed set of instructions to build a toy car. If those instructions include a step to "install a tiny rocket engine," and you blindly follow them without checking if "rocket engine" is a legitimate component for a toy car, you have just built something entirely different, and possibly dangerous. Similarly, the unserialize() function blindly reconstructs objects from the provided cookie data. If the cookie contains serialized PHP objects designed to trigger arbitrary function calls or instantiate malicious classes upon deserialization, the PHP interpreter executes them. This allows an attacker to inject and run their own PHP code on the server, effectively achieving remote code execution. This entire process bypasses authentication because the vulnerability exists in the initial handling of an unauthenticated request.
This attack maps directly to T1190 Exploit Public-Facing Application within the MITRE ATT&CK framework. Attackers use a known vulnerability in a web-facing component to gain initial access and execute code. Once code execution is achieved, they can then move on to other tactics like credential dumping or persistence. Ensuring strong input validation and avoiding unserialize() on untrusted data are fundamental security principles that were overlooked here. From a compliance perspective, the immediate patching action aligns with SI-2 Flaw Remediation from NIST SP 800-53, underscoring the necessity to quickly address security vulnerabilities as soon as they are identified and exploited.
Historical Context
Deserialization vulnerabilities like CVE-2026-45247 are a persistent problem in web application security, dating back decades. A notable parallel can be drawn to the Apache Struts 2 RCE vulnerabilities, such as CVE-2017-5638 from 2017. That flaw allowed unauthenticated attackers to execute arbitrary code by manipulating the Content-Type header, which was then parsed by the OGNL expression language. While the specific mechanism differed (OGNL expression injection versus PHP object deserialization), both vulnerabilities shared critical commonalities: they were unauthenticated, led to immediate RCE on publicly accessible web servers, and exploited a flaw in how the application processed untrusted input without proper validation.
Another example is the broader class of PHP unserialize() vulnerabilities that have plagued applications for years, often impacting popular frameworks and extensions. These regularly surface and are quickly weaponized. The key difference with this Magento vulnerability is its specific targeting of a widely used third-party extension, not the core Magento platform itself. However, the consequence — unauthenticated RCE — remains identically severe. Attackers consistently target publicly exposed services with critical, easy-to-exploit vulnerabilities. This pattern makes proactive patching, coupled with strong boundary protection (NIST SP 800-53 SC-7), absolutely necessary.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVE ID | CVE-2026-45247 | NVD |
| CVSS Score | 9.8 | NVD |
| CISA KEV Addition Date | June 4, 2026 | CISA KEV Catalog |
| FCEB Remediation Deadline | June 19, 2026 | CISA KEV Catalog |
| Days to Patch (FCEB) | 15 days | CISA KEV Catalog |
| Attack Type | Deserialization RCE | NVD |
| Exploit Method | Crafted CacheWarmer cookie, unauthenticated |
SecurityWeek |
The CVEDaily Take
This CVE-2026-45247 situation shows that your supply chain is your attack surface. A popular, seemingly innocuous extension can become a critical Achilles' heel for your entire e-commerce operation. Ignoring the KEV catalog, especially with a strict federal deadline, is outright negligence. We think organizations are still underestimating the risk posed by third-party extensions; this isn't a new vulnerability class, but the sheer volume of active exploitation points to widespread neglect in vetting these components. We also need to get better at performing regular security audits to catch these issues before CISA has to step in.
Has your team implemented a regular audit process for third-party Magento extensions, specifically looking for deserialization risks?
FAQ
Q: What specific action should I take to address CVE-2026-45247?
A: Immediately update your Mirasvit Cache Warmer extension for Magento to the latest available patched version. If an immediate patch is not available or feasible, temporarily disable the extension as a critical mitigation, understanding this may impact website performance.
Q: Is my Magento store vulnerable if I do not use the Mirasvit Cache Warmer extension?
A: No, if your Magento store does not have the Mirasvit Cache Warmer extension installed and active, it is not directly vulnerable to CVE-2026-45247. However, you should still regularly audit all third-party extensions and your core Magento installation for other potential vulnerabilities.
Q: What is the risk if I do not patch CVE-2026-45247 by the federal deadline?
A: For Federal Civilian Executive Branch agencies, failing to patch by June 19, 2026, means non-compliance with a CISA directive, potentially leading to audits and further action. For all other organizations, the risk is severe and immediate: unauthenticated remote code execution, which grants attackers full control over your Magento server and all associated data.
